- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: whats the rex command to filter the special ch...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
whats the rex command to filter the special characters and extract only required fields?
Hello experts,
logs looks something like this..
(java.lang.RuntimeException: java.util.concurrent.ExecutionException: java.lang.RuntimeException:...
null\n\njava.lang.IllegalArgumentException
: java.util.concurrent.ExecutionException..
( java.util.concurrent.ExecutionException)
" java.util.concurrent.ExecutionException"
query should ignore the special characters before java and take only exception.
example: query should find "java.lang.IllegalArgumentException" from this log line "null\n\njava.lang.IllegalArgumentException".
I am able to pull exceptions which are not associated with special characters using rex "(?java?.[.\w]+Exception)" but
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you please provide full sample events and output you want?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello!
Try this run anywhere search
| makeresults
| eval _raw="null\n\njava.lang.IllegalArgumentException
: java.util.concurrent.ExecutionException..
( java.util.concurrent.ExecutionException)
\" java.util.concurrent.ExecutionException\""
| rex field=_raw max_match=0 "(?<javaexception>java?.[.\w]+Exception)"
You can try something like this
| rex field=_raw (?<javaexception>java?.[.\w]+Exception)
OR
| rex field=_raw (?<javaexception>java.*Exception)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ddint work. its not correct.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I edited my answer. did you check?
Also, if its not correct can you elaborate by giving sample inputs and what output you want
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this run anywhere search
| makeresults
| eval _raw="null\n\njava.lang.IllegalArgumentException
: java.util.concurrent.ExecutionException..
( java.util.concurrent.ExecutionException)
\" java.util.concurrent.ExecutionException\""
| rex field=_raw max_match=0 "(?<java>(\S+|)java.\w+.*Exception)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
no rex command is still not working.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you please send me one full event? Also, please send the search query you're using.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For this, you need to use max_match=0 in the rex expression.
Use this query
rex field=_raw max_match=0 "(?<java>(\S+|)java.\w+.*Exception)"
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
